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FIELD OF THE INVENTION 
The present invention relates to digital signature schemes in general, 
and in particular to the OSS signature scheme. 

BACKGROUND OF THE INVENTION 

Many signature schemes are based on the difficulty of solving a 
hard mathematical problem. With special knowledge, typically termed in the art 
knowledge of a "trapdoor", the mathematical problem can be solved easily. Easy 
solution allows one who knows the trap door to easily sign a document. The 
difficulty of anyone else, not knowing the trap door, solving the hard problem and 
thus forging the signature makes the signature reliable. 

The following references may assist in understanding the 
background of the present invention, and are referred to below according the their 
respective numbers: 

[1] L. Adleman, D. Estes, and K. McCurley, "Solving Bivariate 
Quadratic Congruences in Random Polynomial Time," Mathematics of 
Computation, v. 48, n. 177, Jan 1987, pp. 17-28. 

[2] D. Estes, L. Adleman, K. Kompella, K. McCurley, and G. 
Miller, "Breaking the Ong-Schnorr-Shamir Signature Scheme for Quadratic 
Number Fields," Advances in Cryptology: Proceedings of CRYPTO '85, Springer- 
Verlag, 1986, pp. 3-13. 

[3] A. Fiat and A. Shamir, "How to Prove Yourself: Practical 
Solutions to Identification and Signature Problems," Advances in Cryptology: 
Proceedings of CRYPTO '86, Springer- Verlag, 1987, pp. 186-194. 

[4] D. Naccache, "Can O.S.S. be Repaired? Proposal for a New 
Practical Signature Scheme," Advances in Cryptology: Proceedings of 
EUROCRYPT '93, Springer- Verlag, 1994, pp. 233-239. 

[5] National Institute of Standards and Technology, NIST FIPS 
PUB 186, "Digital Signature Standard," U.S. Department of Commerce, May 
1994. 
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[6] H. Ong, CP. Schnorr, and A. Shamir, "An Efficient Signature 
Scheme Based on Quadratic Equations," Proceedings of the 16th Annual 
Symposium on the Theory of Computing, 1984, pp. 208-216. 

[7] H. Ong, CP. Schnorr, and A. Shamir, "Efficient Signature 
Schemes Based on Polynomial Equations," Advances in Oyptology: Proceedings 
of CRYPTO '84, Springer- Verlag, 1985, pp. 37-46. 

[8] J. Pollard and C. Schnorr, "An Efficient Solution of the 
Congruence x 2 + k-y 2 = m mod n," IEEE Transactions on Information Theory, v. 
IT-33, n. 5, Sep 1987, pp. 702-709. 

[9] M. O. Rabin, "Digital Signatures and Public-Key Functions as 
Intractable as Factorization," MIT Laboratory for Computer Science, Technical 
Report, MLT/LCS/TR-212, Jan 1979. 

[10] R. L. Rivest, A. Shamir, and L. M. Adleman, "A Method for 
Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of 
the ACM, v. 21, n. 2, Feb 1978, pp. 120-126. 

[11] US Patent 4,405,829 to Rivest et al. 

[12] US Patent 4,748,668 to Shamir et al. 

The following mathematical and related conventions are used 
throughout the present specification and claims. 

1. Greek symbols a, (3, y are used to denote variables that may be 
chosen "randomly" (within certain specified constraints), and upper case letters 

. (A, B, C, ...) to denote variables that are either directly or indirectly derived from 
these random variables. 

2. N is used to denote a composite modulus suitable for RSA; that 
is, the product of two large prime, secret factors. All operations will be in one of 
the three rings of integers: Z, Zn, and Z p (where p is an integer we will choose). 
With each step, we will clearly indicate in which ring the step is being performed. 
Additionally, to avoid confusion, we will use the notation x' 1 to denote the inverse 
of x in finite ring Z N or Zp (and y-x' 1 to denote y divided by x in Zn or Zp), while 
we will use the notation y/x to denote integer division (with truncation as needed) 
in Z. 



RSA refers to the well-known RSA signature scheme described, for 
example, in references [10] and [11]. 

Since, as is well known, multiplication does not associate with 
integer division, that is, x-(y/z) may not equal (x-y)/z, parentheses will be used as 
necessary to avoid ambiguity. For example: 

3(5/2) = 6*7 = (3-5)/2 

The OSS signature scheme, was proposed over 15 years ago in 
reference [6]. The OSS signature scheme was based on the supposed difficulty of 
findingjolutions to quadratic bivariate equations in Z N , with the trapdoor allowing 
a legitimate signer to sign being structural knowledge of the coefficients that 
allowed factoring a constant term of the polynomial into linear expressions. For 
example, solving for x, y in the equation termed herein "the OSS equation": 

x 2 - V-y 2 -m = 0inZ N 

can be done with knowledge of S such that S~ 2 = V in Z^: 

(x + y-S" 1 )-(x-y-S" 1 )=m 

Decomposing the constant m into factors a and m-a* 1 for some 
randomly chosen invertible a in Zm, and solving the system of simultaneous linear 
equations: 

x + y-S" 1 = m-a" 1 x - y-S" 1 = a 
yields the solution: 



x = 2* l -(m-a' 1 +a) y = 2 _, -S- (m a' 1 - a) 



Throughout the present specification and claims, the notation (a, b) 
is used to denote an ordered pair comprising a and b. The above problem is 
transformed to a signature scheme by allowing (V, N) to be the public key, S to be 
the private key, m to be the message digest to be signed, and (x, y) to be the 
5 signature. 

The OSS signature scheme was broken with the development of a 
random polynomial time method for solving bivariate quadratic equations in 
general, without the trapdoor knowledge; see references [1], [2], and [8]. This 
solution method is much less efficient than the solution method using the trapdoor, 

10 but still sufficiently tractable to render the OSS scheme unsecure for most digital 
signature purposes. 

The appeal of OSS, then and now, is that it requires a very small 
number of multiple precision multiplicative operations to sign, in contrast to most 
other secure public key signature methods based on either factoring or discrete 

15 logarithms. Some schemes, such as DSA, described in reference [5], also achieve 
this result when precomputation is allowed; that is, when not counting the work 
done prior to knowledge of the message to be signed. However, precomputation is 
not always operationally feasible. 

Many public key signature schemes, such as low exponent RSA, 

20 described in references [10] and [11], or Rabin, described in reference [9], can be 
very efficient for the verifier, but not for the signer. However, in certain contexts, 
. particularly digital signature using a smart card, it is appreciated that the ability to 
sign efficiently is more important than the ability to verify efficiently. 

For the reason of efficiency, there have been many attempts to 

25 repair OSS with variants of various types, primarily retaining the flavor of the 
original OSS while introducing constructs or changing the domain so as to 
obstruct the attack on the original OSS. All such proposals have either been 
shown to be insecure, do not retain the appealing property of using a very limited 
number of multiplicative operations, or are of too recent vintage to be considered 

30 secure yet. 

For example, the original proposers of OSS generalized the problem 
by extending the domain from which the signature variables and coefficients were 
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to be chosen from the rational integers to the quadratic integers, as described in 
reference [7], hoping that the attack method on the original form could not be 
applied in the new case. However, it was shown, as described in reference [2], 
that an instance of the extended problem may be polynomially transformed to the 
5 simpler domain, and the transformed problem can then be solved with the original 
attack. Thus, the quadratic integers variation does not overcome the weakness of 
the original OSS. 

Naccache, as described in reference [4], proposes two alternate 
approaches to securing OSS, taking advantage of the fact that the attacker has no 

10 control over the "structure" of the x and y returned by the OSS attack method, hi 
the first^ of these approaches, the public key V is replaced by a non-polynomial 
function of x, thereby obstructing the attack method, which necessarily generates 
the x and y in parallel He presents a practical example of a non-polynomial 
function in which the private key holder can solve the resultant equation. While 

15 this construct is sound and fairly efficient, it is very similar to the approach of the 
Fiat-Shamir signature scheme, described in references [3] and [12], in which a 
large number of "binary proofs" are effectively "aggregated", and the number of 
multiple precision multiplicative operations needed (as well as the number of keys 
needed) is proportional to the logarithm of the size of a secure search space. Thus, 

20 the first Naccache approach is not as efficient as the original OSS. 

In the second Naccache approach, Naccache proposes requiring the 
. choosing of x and y in such a way that the random parameter upon which x and y 
are based must have a required structural form. It will be apparent to persons 
skilled in the art that the difficulty of constructing such a scheme is that the 

25 random parameter must be kept a secret in order to avoid compromising the 
private key. He presents an intuitive argument of how it might be possible to 
construct such a scheme, which would be more like the original OSS in terms of 
having a single key and would perhaps require a small number of multiplicative 
operations. Although this approach looks promising, the inventor of the present 

30 invention is not aware of any convincing results yet in this direction. 

There is thus a need for an effective and efficient approach to 

securing OSS. 
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The disclosures of all references mentioned above and throughout 
the present specification are hereby incorporated herein by reference. 
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SUMMARY OF THE INVENTION 

The present invention seeks to provide an improved variant of the 
OSS signature scheme. 

The present invention, in a preferred embodiment thereof, uses yet 
another approach to securing OSS, by generalizing the original OSS equation to 
include approximations. Proof of the security of the preferred approach is not 
currently available, but the approach appears resistant to the types of attacks on 
OSS and OSS variants used until now. It is speculated that a different attack, from 
a somewhat different mathematical domain, would be needed to disprove its 
security. 

There is thus provided in accordance with a preferred embodiment 
of the present invention a method for digitally signing a message, the method 
including providing a message digest (M x , M z ), providing a modulus N, providing 
a number V in the ring Z N , wherein for another number S in the ring Z N , V S 2 =1 in 
Z N , solving the equation (M x + x) 2 - V-y 2 = 4-(M 2 + z) in Z N to produce x, y, and z, 
and assigning SIG as the signature of (M x , M z ), wherein SIG includes (x,y). 

Further in accordance with a preferred embodiment of the present 
invention SIG includes (x,y,z). 

Still further in accordance with a preferred embodiment of the 
present invention the solving includes the following: a) choosing a and P in Z 
such that 0 < a < p < 2 k_1 and gcd(a, p) = 1 in Z; b) choosing y in Z such that 2 n ~ k_1 
< y < 2 n ~ k and p | (a-N + y) in Z; c) setting R equal to (a-N + y) / p in Z; d) setting 
T equal to -(M Z R + M x + R~ ! ) in Z N ; e) if p = 1 or T < 8-y (in Z), setting U and W 
equal to 0 and continuing with step k; f) setting D equal a" 1 in Z p ; b) setting A 
equal to N / p in Z; h) setting B equal to (T - 8-y) / A in Z; i) setting U equal to 
BD in Z p ; j) setting W equal to UR in Z N ; k) setting C (T - W) / y in Z; 1) 
setting z equal to U + p-C in Z N ; m) setting x equal to T - z-R in Z N ; and n) setting 
y equal to S-(x + M x + 2-R" 1 ) in Z N , thereby producing x, y, and z. 

Additionally in accordance with a preferred embodiment of the 
present invention the method also includes providing a trusted computation device 



and a non-trusted computation device, and step d) includes performing a 
computation in the non-trusted computation device. 

Moreover in accordance with a preferred embodiment of the present 
invention the computation in the non-trusted computation device includes a 
5 computation of R" 1 . 

Further in accordance with a preferred embodiment of the present 
invention the computation in the non-trusted computation device is protected from 
tampering by performing a blinding method in the trusted computation device. 

Still further in accordance with a preferred embodiment of the 
10 present invention the method also includes verifying a result of the computation in 
the non-trusted computation device. 

Additionally in accordance with a preferred embodiment of the 
present invention step a) includes screening a and p. 

Moreover in accordance with a preferred embodiment of the present 
15 invention the screening includes reducing a and (3 modulo 210. 

Further in accordance with a preferred embodiment of the present 
invention the reducing a and P modulo 210 includes computing gcd(210, (a mod 
210), (P mod 210)) to produce a result, and rejecting a and P and choosing another 
a and p if the result is not equal to 1 . 
20 Still further in accordance with a preferred embodiment of the 

present invention the solving includes the following: a) setting a equal to 0; b) 
* setting p = 1 ; c) choosing y such that 2 n ~ k ~ 1 < y < 2 n ' k ; d) setting T equal to -(M 2 -y + 
M x + y~ l ) in Z N ; e) setting z equal to T / y in Z; f) setting x equal to T - z-y in Z N ; 
and g) setting y equal to S-(x + M x + 2 -y" 1 ) in Z N , 
25 thereby producing x, y, and z. 

Additionally in accordance with a preferred embodiment of the 
present invention the method also includes providing a trusted computation device 
and a non-trusted computation device, wherein step d) includes performing a 
computation in the non-trusted computation device. 
30 Further in accordance with a preferred embodiment of the present 

invention the computation in the non-trusted computation device includes a 
computation of y" 1 . 
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Still further in accordance with a preferred embodiment of the 
present invention the computation in the non-trusted computation device is 
protected from tampering by performing a blinding method in the trusted 
computation device. 

5 Additionally in accordance with a preferred embodiment of the 

present invention the method also includes verifying a result of the computation in 
the non-trusted computation device. 

There is also provided in accordance with another preferred 
embodiment of the present invention a message signer for digitally signing a 

10 message based on a message digest (M x , M z ), a modulus N, and a number V in the 
ring Z^r wherein for another number S in the ring Z N , V-S 2 =l in Z N , the message 
signer including a solver for solving the equation (M x + x) 2 - V-y 2 = 4(M 2 + z) in 
Z N to produce x, y, and z, and a signature assignor for assigning SIG as the 
signature of (M x , M z ), wherein SIG includes (x,y). 
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BRIEF DESCRIPTION OF THE DRAWINGS 
The present invention will be understood and appreciated more fully 
from the following detailed description, taken in conjunction with the drawings in 
which: 

Fig. 1 is a simplified block diagram illustration of a method for 
signing a message digest in accordance with a preferred embodiment of the 
present invention; 

Figs. 2A and 2B, taken together, comprise a simplified flowchart 
illustration of a preferred implementation of step 100 of Fig. 1; 

Fig. 3 comprises a simplified flowchart illustration of an alternative 
preferred implementation of step 100 of Fig. 1; and 

Fig. 4 is a simplified block diagram illustration of an apparatus 
suitable for implementing the method of Fig. 1. 
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b DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

In a preferred embodiment of the present invention, the OSS 
problem is generalized by adding a third variable z, with restricted range, to the 
right hand side of the OSS equation described above, thus effectively changing the 

5 OSS equation to an approximate equality. The system based on the approximate 
equality is also termed herein "Fuzzy OSS". At the same time a compensation is 
made by restricting the range of variable x, so that the number of solutions for any 
given key and message digest remains approximately the same as in the original 
problem, i.e., it remains approximately 0(N). 

10 Note that the approach of the preferred embodiment differs from the 

second Naccache approach presented above. In this case it is the value of x itself 
which is explicitly being restricted, rather than the relation between x and its 
generating random parameter being implicitly restricted, as in the second 
Naccache approach. The modified, or Fuzzy OSS, problem then appears as 

15 follows: 

Find a solution (x, y, z), in Zm x Zm x Zn, for the equation: 

(M x + x) 2 - V-y 2 = 4-(M z + z) in Zn 

20 termed herein the Fuzzy OSS equation, where: 

N is a given "RSA-type" modulus of length n bits (i.e., 2 n_1 < N < 
. 2 n ) and secret factorization; 

x and z satisfy 0 < x < 2 n * k and 0 < z < 2 k+3 for a given k, 0 « 2 k < 

n; and 

25 M X5 M z , and V are given. 

Note that if k is allowed to approach 0 (as opposed to the 
requirement given above), this problem becomes computationally equivalent to the 
original OSS problem. 

A more general statement concerning x and z may be given as 

30 follows: 

0 < x < 2 U 
0 < z < 2 V 



1 1 
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The requirements for u and v can be stated more generally as 

follows:' 

• The sum u + v should be close to n. If it is considerably smaller than n, the 
solution methods given herein will not succeed most of the time. To the extent 

5 that it is greater than n, the problem will become easier for an attacker to solve 

(i.e., to "forge", even without knowing the secret). 

• The value of u should preferably be greater than or equal to n/2. If u is less 
than n/2, then the problem is still solvable, but the solution methods given 
herein need to be modified slightly, and some generality of solution is lost 

10 (with possible loss of security). 

• The value of v should not be "close" to either 0 or n. If v is close to 0, the 
proBlem may be transformed to an instance of the original OSS problem 
(which is not secure). If v is close to n, the problem is trivial to solve. 

Given the above guidelines, the choice of u = n-k and v = k+3 (with 
15 k < n/2, but k not close to 0) was chosen to allow the solution, described below, to 
always find a solution, without ever needing to retry. The addition of the small 
"offset" constant 3 in the exponent (or any such small offset) does not affect the 
essential difficulty of the problem. 

The Fuzzy OSS problem can be made into a signature scheme by 
20 allowing (V, N) to be the public key, S to be the private key (where V-S 2 = 1 in 
Z N ), and (M x , M 2 ) to be the message digest to be signed. The signature of (M XJ 
-M z ) is the triple (x, y, z); however, since z can be easily and deterministically 
computed from (x, y) without knowledge of the private key, it does not need to be 
sent or even calculated by the signer. In the solution method presented below, z 
25 will be computed because its value is needed as an intermediate value in the 
calculation of x and y. The discussion below, with reference to Fig. 2, will show 
how knowledge of the private key S allows a relatively efficient solution to this 
problem. 

Reference is now made to Fig. 1 which is a simplified block 
30 diagram illustration of a method for signing a message digest in accordance with a 
preferred embodiment of the present invention. The method of Fig. 1 is self- 
explanatory with reference to the above discussion, except as follows. Preferably, 
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in step 100, a method is provided to solve the Fuzzy OSS equation, based 
preferably on secret knowledge of a key S as described above. 

Reference is now made to Figs. 2A and 2B, which, taken together, 
comprise a simplified flowchart illustration of a preferred implementation of step 
100 of Fig. 1. 

As mentioned above, operations described below will be performed 
in three different rings: Z, Zn, and Z p (where (3 will be chosen). For each step, the 
ring in which to perform the operation will be noted. 

The method of Figs. 2A and 2B preferably comprises the following 

steps: 

Step 1 10: Choose a and p in Z such that 0 < a < (3 < 2 k "' and gcd(a, 
P) = 1 (in Z) 

Step 120: Choose y in Z such that 2 ,vk - 1 < y < 2 n " k and p | (cc-N + y) 

(inZ) 

Step 130: Set R <- (a-N + y) / p (in Z; i.e., integer division) 

Step 140: Set T < (M Z R + M x + R" 1 ) (in Z N ) 

Steps 150 and 155: If p = 1 or T < 8-y (in Z), set U,W <- 0 and go 
directly to step 210. 

Step 160: Set D a" 1 (in Z p , not in Z N ; i.e., a-D = 1 in Z p ) 
Step 170: Set A <- N / P (in Z; i.e., integer division with 

truncation) 

Step 180: Set B <— (T - 8y) / A (in Z; i.e., integer division with 

truncation) 

Step 190: Set U <- B D (in Z p , not in Z N ) 
Step 200: Set W <- U R (in Z N ) 

Step 210: Set C <- (T - W) / y (in Z; i.e., integer division with 

truncation) 

Step 220: Setz^-U+p C (in Z N ) 
Step 230: Setx<-T-z R (in Z N ) 
Step 240: Set y <- S (x + M x + 2 R" 1 ) (in Z N ) 
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The method of Figs. 2A and 2B is now briefly described. A proof 
of correctness of the method of Figs. 2 A and 2B is provided below. 

The general form of a solution to the Fuzzy OSS equation (ignoring, 
for the moment, the inequalities that must also be satisfied for x and z), is: 

5 (M x + x) = ±(R" 1 +(M z + z>R) and y = ±S-(R~ ! - (M z + z)-R) 

If we arbitrarily choose the "-" in the ±, and set T equal to a 
common subexpression: 

T = -(M r R + Mx + R -1 ) 
then steps 140, 230, and 240 follow immediately. 

10 " In other words, it is simply a matter of algebraic manipulation to 

find x, y, and z that satisfy the Fuzzy OSS equation; such x, y, and z will not 
necessarily satisfy the required additional inequalities. Steps 140, 230, and 240 
guarantee that the equation is satisfied for any arbitrarily chosen R and z. The 
purpose of the other steps is to guarantee that the inequalities will also be satisfied. 

15 More specifically: 

• Steps 1 10 - 130 have the purpose of choosing an R such that for any M x and 
M z it will be possible to find a z such that not only the Fuzzy OSS equation, 
but also the inequalities on x and z, are satisfied. 

• Given that choice of R, steps 150 - 220 have the purpose of choosing such a z. 
20 . The following is intended to be an intuitive, informal argument of 

why the method of Figs. 2A and 2B works; a formal proof is provided below. In 
this informal description, we will use terms like "small" (and "close") to denote 
values (and differences of values) that are much smaller than the modulus N. By 
this convention, for example, x and z would be considered "small", although they 
25 are usually very large numbers. 

Regarding the choice of R (steps 110 - 130), note that eventually 
z-R = T-x in Z N (by step 230). Since x and z both are required to be "small", this 
is really equivalent to saying that R should be chosen such that for any resultant T, 
it is possible to find a "small" z such that z-R is "close" to, but less than, T. This 
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can be done, as described below with reference to steps 150 - 220, when R is 
chosen according to steps 110 - 130. 

Now, given that choice of R, we need to find "small" z such that z-R 
mod N is "close" to T (since x = T - z-R mod N must be small). This is actually 
done in two stages: 

• Steps 160-190 compute a "coarse estimate" U of z, actually aiming to find a 
value U such that U-R = T - 8-y mod N, i.e., actually slightly less than T. 

• -Steps 200 - 220 compute an error term (T - U-R) mod N, and from that term 

derive a "fine correction" (5-C to be added to the coarse estimate U in order to 
produce the actual z value. 

In steps 150 and 155, T is checked to see if it is "small". If the T is 
"small", then the coarse estimate U for z is taken as zero, steps 160 - 200 may be 
skipped, and the fine correction becomes the full value of z. 

The efficiency of the method of Figs. 2A and 2B will be analyzed 
below. In the analysis, it will be noted than an even much more efficient solution 
than the method of Figs. 2A and 2B exists based on (3 = 1 or at least p "small". 
However, there is some question whether the method thus restricted is as secure, 
since it generates solutions with far less generality, within the entire solution 
space, than the above method. 

A proof of correctness of the method of Figs. 2 A and 2B is now 

offered as follows. 

The following is asserted to be true: 

[Al] (M x + x) 2 - V-y 2 = 4-(M 2 + z) in Z N 

[A21 0<x<2 n_k 

[A3] 0<z<2 k+3 
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The items asserted to be true are also termed herein "assertions". 

The following simple lemmas concerning properties of integer 
division, with truncation as necessary, are presented without proof. All variables 
are positive integers: 

[LI] 0 < (x-y) / z - x-(y/z) < x 

[L2] 0 < (x + y) / z - (x/z + y/z) < 1 

[L3] x<z => (xy)/z<y 

[L4] w = x (mod z) => (w-y) / z == (x-y) / z (mod y) 

[L5] y<x => x/(x/y)<2-y 

[L6] (((x-y)/z)/y)-z<x 

The following lemma concerning the relationship between W and T 
is now presented with proof; the lemma will be need needed for the proofs of 
assertions [A2] and [A3] above: 

[L7] W < T, and either (3 = 1 or (T - W) < (15-2 k ' 1 -y) / (3 
Proof: 

Note: In this proof, and in the proofs of the assertions mentioned 
above that follow, when evaluating variables such as W, x, or z that are evaluated 
modulo N, in the interest of simplifying the notation, any multiples of N that 
implicitly appear are dropped additively at the highest level of the equality , rather 
than carrying them through and dropping them at the end. Note especially the 
point concerning dropping at the highest level: If x = y + N-z, x = y may be 
written, but it is not valid to write x = y/w in place of x = (y + N-z)/w], 
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If (3 is chosen to be 1, then W is set to 0 (steps 150 and 155 of the 
method of Figs. 2 A and 2B), so the result immediately follows. 

Likewise, if (at step 150 of the method) T < 8-y, then W is set to 0, 
and again the result follows almost immediately, since (3 < 2 k "'. 

Otherwise: 

{ Step 200} 
{ Step 130} 

{ 0 < s, < U; Lemma [LI] } 



W = U-R 

= U((a-N + y)/p) 

= (U-(a-N + y))/p - e, 

= (U-a-N + U-y)/p - s, 

10 - (U-a-N)/p + (U-y)/p - s, + s 2 

= -(U-ef-N)/(3 - £l + s 2 + s 3 

= (B-D-a-N)/p - 8j + s 2 + s 3 

= (B-N)/p - 8, + s 2 + s 3 

= B-(N/p) - 8) + 8 2 + 83 + 84 

15 = B-A - 8 t + e 2 + s 3 + s 4 

= ((T - 8-y)/A)-A - 8, + s 2 + s 3 + s 4 

= (T - 8-y) - e, + s 2 + s 3 + s 4 - 85 



{ 0 < s 2 < 1; Lemma [L2] } 
{ 0 < s 3 < y; Lemma [L3] } 
{ Step 190; Lemma [L4] } 

{ Step 160; Lemma [L4] } 
{ 0 < s 4 < B; Lemma [LI] } 

{ Step 170} 

{ Step 180} 

{ 0 < s 5 < A; Lemma [LI] } 
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So T - W = 8-y + Si + s 5 - s 2 - s 3 - s 4 . Since all of the Sj are non- 
negative, we will have proved our lemma if we can show that: 



[a] s 2 + 83 + 84 < 8-y, and 



25 



[b] 8-y + s, +s 5 <(15-2 k -'-y)/p 
Proof of [a]: 



30 



B = (T-8-y)/A 
< N / A 
= N / (N/p) 
<2p 



{ Step 180} 

{ Step 170} 

{ Lemma [L5] } 
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<2-Y . . 

So e 2 + s 3 + s 4 < 1 + y + B < 8-y 
5 Proof of [b]: 

A = N/p {Step 170} 

< 27p 

-(4-2 k -'-2 n - k - 1 )/(3 
10 <(4-2 k -'-Y)/p 

— '- 

Also, U < P < y, and p < 2 k "' (and thus x < (x-2 k_1 ) / p for any x) 
So 8-y + s, + 6 5 < 8-y + U + A < (15-2^ -y) I p 

Proof of assertions [Al], [A2], and [A3], using lemma [L7] where 

necessary: 

[Al] (M x + x) 2 - V-y 2 = 4-(M z + z) in Z N 
Proof. 

(M x + x) 2 - V-y 2 = (M x + T - z-R) 2 - V-S 2 (x + M x + 2-R" 1 ) 2 
25 = ((M z + z)R + R' 1 ) 2 -(T-z-R + M x + 2-R- 1 ) 2 
= ((M z + z)-R + R- 1 ) 2 - ((M z + z) R - R-') 2 
= 4-(M z + z) 
[A2] 0<x<2 n " k 

18 
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30 



Proof. 



x = T-z-R 

= T-(U + p-C)R 

= (T - U R) - (p-R) C 

= (T-W)-yC 

= (T - W) - y((T — W) / y) 



{ Step 230} 
{ Step 220} 

{ Step 130} 
{ Step 210} 

{ Lemmas [LI], [L7] } 
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< 2 



n-k 



[A3] 0<z<2 



k+3 
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Proof. 

If P = 0, then U = W = 0, so: 



z = U+p-C {Step 220} 

= C 

20 = (T-W)/y {Step 210} 

.= T/y 

< N/2"- k -' 

< 2 k+3 



25 Otherwise, by Lemma [L7], (T - W) < (15 y-2 k -')/p, so 

z = U + p-C { Step 220} 

= U + ((T- W)/y)-p {Step 210} 

< p + ((T- W)/y) P { Step 190} 

30 < P + (((15 y-2 k -')/p)/y) p { Lemma [L7] } 

< p + 15-2 k -' { Lemma [L6] } 
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= 2 k+3 

The efficiency of the method of Figs. 2 A and 2B is now analyzed. 

5 As will be appreciated by persons skilled in the art, there are a 

limited number of multiple precision multiplicative operations involved in the 
method of Figs. 2A and 2B, although more than in the original OSS. Some of the 
operations are multiplications and some are divisions. Among the divisions, some 
are in Z (division in Z is comparable in efficiency to multiplication) and some are 

10 in a finite ring Z N or Z p (division in a finite ring is more time-consuming than 
multiplication). 

Here are some other observations concerning the efficiency, 
referring to the steps of Figs. 2 A and 2B: 

Step 150 costs very little (just a multiplication by a very small 

15 constant). 

Steps 120 and 130 can essentially be combined, since y and R can 
be found in a combined process in which y is chosen arbitrarily, a-N+y is divided 
by p to obtain the quotient (R) and the remainder, the latter being used to refine 
the choice of y so that a-N+y is divisible by (3. 
20 Steps 110 and 160 can be combined, since the gcd method can also 

yield the inverse. 

R" 1 does not need to be evaluated for step 240, since it was already 
evaluated for step 140. 

Since the modulus N' is public, the inverting of R with respect to N 
25 may be delegated to a more powerful non-secure processor (if available) by 
"blinding" the R with a random multiplicative factor in Zm (Naccache also notes 
this; see reference [4]). 

Blinding involves performing some transform on secret data before 
exposing it, in a way that the transform hides the original value(s). In the case of 
30 taking the inverse of a non-zero value x in the field Z P (P prime), the value x may 
be blinded by multiplying it by an arbitrary non-zero r in Z P : 
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• # 

y ^ r-x (in Z P ) 

Now since y can have, with equal probability, any value in Z P , it does not need to 
be kept secret; revealing y can not possibly reveal anything about x (which is 
secret). Any "non-trusted" computer may be asked to invert y in Z P : 

5 z <r-y~ ] (in Z P ) 

The inverse of the original x in Z P may then be recovered by multiplication: 

x" ] <— r-z (in Z P ) 

This last step is sometimes called unblinding, that is, an inverse operation that 
undoes the original blinding. 
10 ~~ — mJ2 Note that the "non-trusted" computer may be non-trusted in two 
senses: 

• Not to be trusted with the secret value of x. 

• Not to be trusted to compute the inverse correctly (it may be possible to 
perform some sort of "fault attack" by supplying an incorrect inverse, and 

15 seeing the eventual result). A "fault attack" is an attack in which one of the 

protocol partners or some external observer intentionally introduces an error 
into the protocol to observe the processing on the faulty data, hoping thereby to 
gain some information. Such an attack attempts to take advantage of the fact 
that some otherwise secure protocols are not robust enough to avoid leaking 
20 secrets when handling non- valid data such as, for example, out of range data. 

To protect against the first point of non-trust, blinding is preferably 
used, as described above. To protect against the second point of non-trust, the 
secret computer (the one that did the blinding and unblinding) should check the 
result before proceeding: 

25 x-x~ x =? 1 (in Zp) 

Note that we assumed P is prime, which is necessary to achieve 
absolute blinding. If P is not prime, then ify is not relatively prime to P, this will 
not work. However, since RSA-type moduli are the product of two extremely 
large primes, the chance of any "randomly" chosen number (or the product of two 
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such numbers) not being relatively prime to the modulus is infinitesimally small, 
and the blinding may be treated as absolute for all practical purposes. 

The advantage of blinding, in our context, is that for "infinite 
precision" (large number of digits) numbers, modular division and modular 
inversion (while tractable, unlike modular root extraction) are considerably more 
time-consuming than modular multiplication. If the secure computer is relatively 
weak (for example, a smart card), then given the availability of a powerful but 
non-secure computer to perform the blinded inversion, it may be more efficient to 
perform all of the following: 

• Three modular multiplications (blinding, unblinding, and confirmation) in the 
secure computer. 

• A modular inversion in the non-secure computer. 

• A data transfer in each direction. 

than to perform a single inversion in the secure computer. 

The expected number of retries in step 110 until a and (3 are chosen 
to be relatively prime is small, since for any randomly chosen pair (a, p) of 
integers, the probability P of their having a common factor greater 1 satisfies: 

P < 1/2 2 + 1/3 2 + 1/5 2 + 1/7 2 + 1/1 1 2 + ... 

= (1 + 1/2 2 + 1/3 2 + 1/4 2 + 1/5 2 + ...) - (1 + 1/4 2 + 1/6 2 + 1/8 2 + 1/9 2 + ...) 

= ti 2 /6 - (1 + 1/4 2 + 1/6 2 + 1/8 2 + 1/9 2 + ...) 

From evaluating a small number of terms, it can be seen that P < 
0.5, so the expected number of retries is less than 1. 

Another way of stating the above result is to say that the expected 
value of 0(P)/(5, where 0() is the Euler totient function and p is chosen randomly 
from some large range of integers, is slightly greater than 0.5. We will also make 
use of this fact in the following section when discussing the security of the 
method. 
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. . The task of choosing a and P until a relatively prime pair is found 
may be additionally sped up by pre-screening with a very quick test that yields a 
small number of false positives. Randomly choose a pair (a, P), and then evaluate: 

gcd(210 5 (a mod 210), (P mod 210)) 

If the value of the evaluated expression is equal to 1, then a and (3 
have no common factor of 2, 3, 5, or 7, and they are with high probability 
relatively prime. (At this point it is necessary to perform the real gcd of a and P to 
eliminate any false positives, and this will also yield the inverse of a in Zp, as 
nofecHifiove.) The remainder (modulo) of any number with respect to 210 can be 
evaluated very quickly on almost any processor, since 210 fits in a single byte. 

Reference is now additionally made to Fig. 3, which is a simplified 
flowchart illustration of an alternative preferred implementation of step 100 of 
Fig. 1. In the preferred embodiment of Fig. 3, as compared to the preferred 
embodiment of Figs. 2A and 2B, a number of steps of Figs. 2A and 2B, those 
between 160 and 200 inclusive, may be eliminated altogether by choosing (a, p) = 
(0, 1). The method of Fig. 3 is also termed herein "the restricted method". 

When P is chosen to be 1, the restricted method reduces to the 
following steps: 

Step 250: Choose y such that 2 n - k_l < y < 2 n " k 

Step 260: Set T < (M z y + M x + y" 1 ) (in Z N ) 

Step 270: Set z <— T / y (in Z; i.e., integer division with 

truncation) 

Step 290: Setx<-T-zy (in Z N ) 

Step 300: Set y <- S(x + M x + 2-y-') (in Z N ) 

Even if p is not chosen to be 1, it will be appreciated that a large 
number of steps of the method of Figs. 2A and 2B (1 10 - 130, 160 - 200, and 220) 
are monotonically related in efficiency to the size of p, so they will be very 
efficient if P is much smaller than the modulus. Only steps 140, 210, 230, and 240 
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remain costly independent of the size of p. In the following discussion, however, 
speculation is raised on the possible security impact of choosing (3 == 1 or P small. 

The security of the method of Figs. 1, 2 A, and 2B is now discussed. 

Attacks on proposed signature schemes typically take one of two 

5 fomis: 

1. A tractable method for signing even without knowledge of the 

private key. 

2. A method for uncovering the private key, or at least information 
that allows signing, from information leaked in a set of solutions generated with 

10 the private key method. 

The two attack possibilities are now considered in turn. 
The original OSS fell to an attack of the first kind. It is difficult to 
speculate whether or not this attack could be extended to the Fuzzy OSS problem. 
Note, however, that in the extreme case where k is allowed to approach 0, the 

15 Fuzzy OSS problem converges to the original problem. Thus it seems more likely 
that any attack along these lines would incorporate the original OSS attack in some 
way, possibly in conjunction with some lattice methods, rather than being entirely 
independent of it. Alternatively, perhaps such an attack would involve a 
transformation of any Fuzzy OSS problem to an original OSS problem. 

20 In general, the second kind of attack described above can be avoided 

when: 

An arbitrary number of problems and corresponding solutions can 
be generated for any public key, assuming freedom over the choice of the message 
digest, in this case (M x , M z ); and 

25 there is exactly, or very nearly, a one-to-one correspondence 

between the random parameters, and the solutions generated therewith according 
to the private key method, on the one hand, and the entire solution space on the 
other hand, as is the case with the original OSS. 

The first of the two conditions above clearly holds with the Fuzzy 

30 OSS problem, as can be easily seen from the Fuzzy OSS equation. Regarding the 
second item, when there is considerable loss of generality such as, for example, 
when the private key method generates only a fraction of the total solution space 
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or generates certain solutions with significantly higher probability than others, 
some information is leaked. The ability to utilize that leaked information for a full 
attack can be highly dependent upon the structure of the private key method and 
that of the missing generality. It will be shown below that, for the Fuzzy OSS 
problem and the private key method presented herein, the solution space of the 
private key method is only "slightly" less general than the total solution space, by 
a factor of 2 j for some very small j. There will be no attempt to analyze here 
whether it is possible to exploit that lack of generality. 

First note that if (x, z) is chosen randomly (there are 2 I1+3 such 
random choices, according to the restrictions on the size of x and z), then there is, 
with probability 1/4, a total of four y values for which (x, y, z) is a solution, and 
with probability 3/4, no such y values. Thus the total true solution space (as 
opposed to the solution space generated by our private key method) has a size of 

approximately 2 n+3 . 

Now consider the set of all solutions generated by the private key 
method presented in the present specification. First consider the set of all valid (a, 
p, y) that may be chosen according to the restrictions given, referring to the above 
description of the method of Fig. 1 and Figs. 2A and 2B. Note that for a given 
choice of (3 there are <£(p) possible choices of a, where <£() is the Euler totient 
function, and for each (a, p) an average of 2 n k -'/p (here we are dealing with real 
numbers rather than integers) possible choices of y. This means that for each p 
'that may be chosen, there are approximately 2 n " k "' • 0(p)/p possible choices of (a, 
y). Since there are 2 k "' possible choices of p, and it has been shown above that the 
expected value of <£(p)/p is slightly greater than 0.5, the total number of possible 
choices of (a, P, y) is approximately (actually slightly greater than) 2"" 3 . 

Next, it will be shown that there is a one-to-one correspondence 
between choice triples (a, p, y) and solution triples (x, y, z). It is clear from the 
method description that each such choice triple yields a single solution triple, since 
the method is deterministic from after the point of selection of the choice triple, 
but it also needs to be shown that distinct choice triples yield distinct solution 
triples. First note that: 
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R = 2-(y.S" 1 -x-MJ 1 in Z N 

so each solution triple is associated with a single R; we then need to show only 
that each R is associated with a single choice triple. 
5 Suppose two choice triples ((Xi, Pi, Yi) and (a 2 , P2, 72) yield the same 

R. This means that: 

(<x,.N + y,)/Pi =(a r N + Y 2 )/p 2 

10 or equivalently: 

■ -» 

(a r p 2 >N + ( Y rP 2 ) = (a 2 -p,)-N + (y 2 *P0 
Since: 

15 

0<p l5 p 2 <2 k - 1 and 0<Yi,Y2<2 n ~ k and 2 n " l <N 
it follows that: 
20 0<Yrp2<N and 0<YrPi<N 

* and so: 

ai-p 2 = a 2 -pi and YrP2 = Y2*Pi 

25 

Since: 

P2 I (oc 2 pi) and gcd(P 2 , a 2 ) = 1 
30 therefore: 

P 2 I pi (and likewise p! | p 2 by ari analogous argument) 
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Thus: 

(a,, Pi,Yi) = (a 2 , P 2 , Y2) 

5 

Thus, it has been shown that there is a one-to-one correspondence 
between choice triples and values of R, and together with the earlier argument, 
shown that there is a one-to-one correspondence between solution triples of the 
private key method and choice triples. Since there are approximately 2 n " 3 choice 
10 triples, as described above, as opposed to 2 n+3 solution triples, approximately 6 bits 
of generality are lost by the private key method. It is actually possible to tighten 
this slightly so that slightly fewer bits of generality are lost, but both the method 
and its proof become messier, and occasionally retries are necessary. The details 
are omitted here. 

15 As a final point, it was noted above that the efficiency of the method 

may be improved by choosing (a, (3) = (0, 1), as in the method of Fig. 3, or at least 
choosing P to be "small". However, when p is chosen to be much smaller than 
2 k ~\ this significantly reduces the generality of the solution, that is, the ratio of 
solutions produced by the method to the true total number of solutions, and may 

20 impact the security. If k is chosen to be relatively small compared to n, the 
modulus size, but still significantly greater than 0, for example, n = 1024, k = 128, 
-then a P of approximately k bits may be chosen without losing generality of the 
solution. This is because the greater freedom of y, approximately n-k bits, offsets 
the loss of generality in p. This appears to be a way to improve performance, by 

25 working with a relatively small p, without sacrificing the generality of the 
solution. However, note that the signature size is (2-n - k) bits, since it does not 
need to explicitly include z, as we noted earlier, and therefore reducing k for a 
fixed n increases the signature size. 

Summarizing the above points: 

30 Assuming freedom in the choice of the message digest, an arbitrary 

number of problems and their corresponding solutions can be generated for any 
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public key. Therefore, a private key method that covered the true total solution 
space with perfect generality and uniformity would leak no information. 

The presented private key method does not completely cover the 
true total solution space, but it comes within several bits of doing so. Moreover, 
5 the coverage, although not totally general, is uniform, that is, there is one-to-one 
correspondence between choice parameters and generated solutions. 

There is no obvious way to exploit the indicated small lack of 
generality in order to learn how to sign from seeing a number of signatures, 
because of the complex, non-linear, in fact, non-polynomial, relationship between 
10 the choice parameters and the solutions. 

The more promising attack approach would seem to be trying to 
find a way to solve the equation without any knowledge of the private key (as with 
the original OSS attack). Such an approach would be at least as difficult as the 
original OSS attack, since Fuzzy OSS converges to OSS as k — > 0. The attack 
15 might consist of a way of performing a polynomial-time transformation of a Fuzzy 
OSS problem to an OSS problem. 

Without limiting the generality of the present invention, it is 
appreciated that the present invention may be implemented in software on any 
appropriate hardware platform, and may also be implemented, for example, in 
20 firmware or in appropriate special-purpose hardware. Reference is now made to 
Fig. 4, which is a simplified block diagram illustration of an apparatus suitable for 
.implementing the method of Fig. 1. The apparatus of Fig. 4 is self-explanatory. 

It is appreciated that various features of the invention which are, for 
clarity, described in the contexts of separate embodiments may also be provided in 
25 combination in a single embodiment. Conversely, various features of the 
invention which are, for brevity, described in the context of a single embodiment 
may also be provided separately or in any suitable subcombination. 

It will be appreciated by persons skilled in the art that the present 
invention is not limited by what has been particularly shown and described 
30 hereinabove. Rather the scope of the invention is defined only by the claims 
which follow: 
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What is claimed is: 

CLAIMS 

1 . A method for digitally signing a message, the method comprising: 
5 providing a message digest (M x , M z ); 

providing a modulus N; 

providing a number V in the ring Z N) wherein for another number S 
in the ring Z N , V-S 2 =l in Z N ; 

solving the equation (M x + x) 2 - V y 2 = 4-(M 2 + z) in Z N to produce 
10 x, y, and z; and 

^ assigning SIG as the signature of (M x , M z ), wherein SIG comprises 

(x,y). 

2. The method according to claim 1 and wherein SIG comprises 
15 (x,y,z). 

3. The method according to claim 1 or claim 2 and wherein the solving 
comprises the following: 

a) choosing a and p in Z such that 0 < a < p < 2 k_1 and gcd(a, p) = 

20 1 in Z; 

b) choosing y in Z such that 2 ivk ' 1 < y < 2 n ' k and P | (a-N + y) in Z; 

c) setting R equal to (a-N + y) I p in Z; 

d) setting T equal to -(M z -R + M x + R" 1 ) in Z N ; 

e) if p = 1 or T < 8-y (in Z), setting U and W equal to 0 and 
25 continuing with step k; 

f) setting D equal a' 1 in Z p ; 

g) setting A equal to N / P in Z; 

h) setting B equal to (T - 8-y) / A in Z; 

i) setting U equal to B-D in Z p ; 
30 j) setting W equal to U-R in Z N ; 

k) setting C (T-W)/y in Z; 
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1) setting z equal to U + PC in Z N ; 
m) setting x equal to T - z-R in Z N ; and 
n) setting y equal to S-(x + M x + 2-R" 1 ) in Z N , 
thereby producing x, y, and z. 

4. The method according to claim 3 and also comprising: 

providing a trusted computation device and a non-trusted 
computation device, 

wherein step d) comprises performing a computation in the non- 
trusted computation device. 
-* 

5. The method according to claim 4 and wherein the computation in 
the non- trusted computation device comprises a computation of R" 1 . 

6. The method according to claim 5 and wherein the computation in 
the non-trusted computation device is protected from tampering by performing a 
blinding method in the trusted computation device. 

7. The method according to claim 6 and also comprising verifying a 
result of the computation in the non-trusted computation device. 

. 8. The method according to any of the claims 3 - 7 and wherein step a) 

comprises screening a and (3. 

9. The method according to claim 8 and wherein the screening 
comprises reducing a and (3 modulo 210. 

10. The method according to claim 9 and wherein the reducing a and 
p modulo 210 comprises: 

computing gcd(210, (a mod 210), (p mod 210)) to produce a result; 

and 
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rejecting a and (3 and choosing another a and (3 if the result is not 

equal to 1 . 

1 1 . The method according to claim 1 or claim 2 and wherein the solving 

5 comprises the following: 

a) setting a equal to 0; 

b) setting (3 = 1; 

c) choosing y such that 2 n " k_1 < y < 2 n " k ; 

d) setting T equal to -(M z -y + M x + y' 1 ) in Z N ; 
10 e) setting z equal to T / y in Z; 

— — f) setting x equal to T - z-y in Z N ; and 

g) setting y equal to S(x + M x + 2-y" 1 ) in Z N , 
thereby producing x, y, and z. 

15 12. The method according to claim 1 1 and also comprising: 

providing a trusted computation device and a non-trusted 
computation device, 

wherein step d) comprises performing a computation in the non- 
trusted computation device. 

20 

13. The method according to claim 12 and wherein the computation in 
the non-trusted computation device comprises a computation of y' 1 . 

14. The method according to claim 13 and wherein the computation in 
25 the non- trusted computation device is protected from tampering by performing a 

blinding method in the trusted computation device. 

15. The method according to claim 14 and also comprising verifying a 
result of the computation in the non-trusted computation device. 

30 
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16. A message signer for digitally signing a message based on a 

message" digest (M Xj M z ), a modulus N, and a number V in the ring Z N , wherein 
for another number S in the ring Z N , V-S 2 =l in Z N , the message signer comprising: 

a solver for solving the equation (M x + x) 2 - V-y 2 = 4(M Z + z) in Z N 
5 to produce x, y, and z; and 

a signature assignor for assigning SIG as the signature of (M x , M 2 ), 
wherein SIG comprises (x,y). 



17. Apparatus according to claim 16 and substantially as described 
10 hereinabove. 

18. Apparatus according to claim 16 and substantially as shown in the 
drawings. 

15 19. A method according to any of claims 1-15 and substantially as 

described hereinabove. 



20. A method according to any of claims 1-15 and substantially as 

shown in the drawings. 

20 



Respectfully submitted, 



Sanford T. Colb d^Co. 
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.NDS LIMITED 



FIVE SHEETS SHEET NO. 1 



iljEE 



PROVIDE A MESSAGE DIGEST (M x , M z ) 



PROVIDE A MODULUS N I 



PROVIDE A NUMBER V IN THE RING Z N , 
WHEREIN FOR ANOTHER NUMBER S IN 
THE RING Zm, V S 2 =1 IN Z N 



SOLVE THE EQUATION (M x + x) 2 - V y 2 
= 4 (M Z + z) IN Z N TO PRODUCE x, y, AND 

z 



ASSIGN (x,y) OR (x,y,z) AS THE 
SIGNATURE OF (M x , M z ) 



100 



FIG. 1 



NDS LIMITED 



110 

CHOOSE a AND (3 IN Z SUCH THAT 0 < a 
< (3 < 2 kA AND GCD(a, (3) = 1 



CHOOSE y IN Z SUCH THAT 2 n ' k - 1 < y < 2 n k 
AND (3 | (a-N + y) 

SET R <- (a-N + y) / (3 



SET T <- -(M z -R +M X + R" 1 ) (IN Z N ) 




TO 160 

TO 210 



FIVE SHEETS . SHEET NO. 2 



FIG. 2A 
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FIVE SHEETS . SHEET NO. 3 



160 



FIG. 2B 



SET D <- a' 1 (IN Z p , NOT IN Z N ; I.E., a-D 

= 1 IN Z p ) 


170^ i 


f 


SET A <- N / (3 (IN Z; I.E., INTEGER 
DIVISION WITH TRUNCATION) 


-A 


r 


SET B <- (T - 8-y) 
INTEGER Dtt 
TRUNC. 


/A (IN Z; I.E., 
VISION WITH 
ATION) 



180 



190 



^1 



SET U <- B D (IN Z p , NOT IN Z N ) 



200- 



SET W <- UR (IN Zn) 



210^ 



SET C <— (T - W) / y (IN Z; I.E., 
INTEGER DIVISION WITH 
TRUNCATION) 



220 



SET z ^ U + P-C (IN Zn) 



230 



240 



SET X4-T-Z-R (IN Zn) 



SET y <- S-(x + M X + 2-R" 1 ) (IN Z N ) 
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S^I 



FIG. 3 



250 



CHOOSE y IN Z SUCH THAT 2 n " k " 1 < y < 2 n " k 



260' 



SET T <- -(M z - y + M x + Y ) (IN Z N ) 



270^-) 



SET z <- T / y (IN Z; I.E., INTEGER 
DIVISION WITH TRUNCATION 



j290 



280^ 




SET x <— T - z y (IN Z N ) 



SET y <- S-(x + M x + 2-f 1 ) (IN Z N ) 
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FIG. 4 



(M x , M z ) 



MESSAGE SIGNER 


r 


SOLVER 




(x,y,z) 

r 


SIGNATURE ASSIGNOR 







v SIG = (x,y) 



